Header graphic for print
Global Media and Communications Watch The International Legal Blog for the Tech, Media and Telecoms Industry
Posted in Cybersecurity, Policy & Regulation Federico Hernández Arroyo

Cybersecurity (or lack thereof) under new administration

Tech, Data, Telecoms & Media, Mexico

Introduction

In 2014 the previous administration announced its commitment to creating a national cybersecurity strategy. This strategy formed part of the National Development Plan 2013-2018, which also provided for the national digital strategy – an initiative aimed at fostering digitisation in Mexico through:

  • a digital government;
  • open data;
  • digital inclusion;
  • enhanced digital skills; and
  •  IT-based health, educational and financial services.

Previous approach

At the end of 2017 – amidst a scandal of political espionage against journalists and activists – the previous administration issued a document on the national cybersecurity strategy, which contained a clear vision, objectives and principles that should have led to the strategy’s creation. The document recognised that cybersecurity was of paramount importance for enhancing public trust in digital services (especially public services) and making them available to all members of society. Further, the document envisioned the creation of a cybersecurity commission, which would be chaired by the scientific division of the federal police. The commission’s main role would be to approve the national cybersecurity strategy, which would, among other things:

  • stablish a national cybersecurity agency;
  • introduce a homogeneous legal framework; and
  • apply a cyber-resilient approach to the protection of critical infrastructure.

However, as the document was not issued until the end of 2017 and the previous administration’s tenure ended in November 2018, there was little time for real action to be taken. Rather, it appears that the previous administration was merely paying lip service to cybersecurity.

Between April and May 2018, the Central Bank of Mexico’s Interbanking Electronic Payment System (SPEI) – which allows people to make almost instant electronic transfers via the Internet – suffered a cyberattack estimated to have cost $16 million. As a consequence of this attack, new cybersecurity regulations for financial institutions were published in November 2018.

The Central Bank has now announced the launch of a new form of digital payment known as ‘CoDi’ (for further details please see “Cashless money transactions – Mexico’s new payment method”), an electronic platform for payments made via smartphones. CoDi will not replace the SPEI, but rather will operate as an additional platform with high cybersecurity standards.

Present approach

On 12 July 2019 the present administration issued its National Development Plan 2019-2024. One short paragraph concerns science and technology, while another short paragraph mentions the Internet for Everyone project (for further details please see “Internet for Everyone?”). The plan does not mention cybersecurity. Although there are still hopes that cybersecurity could be addressed in the soon-to-be-released Communications and Transports Sectorial Programme 2019-2024, it appears that the present administration has no intention of implementing a cybersecurity strategy.

Comment

In the absence of a national cybersecurity strategy, isolated private efforts are likely to arise. However, these are likely to be insufficient to cope with the cyber-threats and attacks that Mexico may face in the future. To date, Mexico has suffered the second-highest number of cyberattacks of any Latin American country. These numbers are likely to continue to increase over the next few years.

For further information on this topic please contact Federico Hernández Arroyo or Ana Rumualdo